Physical Security Auditing for Utilities: A Guide to Resilient Substation

Abstract

Electric power substations, as critical components of modern power grids, are increasingly becoming targets for intentional physical attacks, including vandalism, theft, and sabotage. These threats, coupled with the potential for cyber-attacks and the weaponization of technologies, necessitate robust security measures and comprehensive auditing practices. Despite utilities providers’ focus on understanding grid vulnerability and implementing physical security upgrades, there is a recognized gap in evaluating the effectiveness and long-term usability of these measures. This paper addresses the need for regular security audits to identify vulnerabilities and ensure the overall resilience of substations against evolving threats. The rationale behind this study is to propose a conventional auditing method that includes an auditing framework, checklists, inspections, and post-inspection suggestions. Through the systematic identification and addressing of vulnerabilities via security auditing, the framework aims to significantly enhance the resilience of substations against physical threats. This paper provides a comprehensive guideline for the physical security auditing procedure, which is essential for the reliable operation of the power grid.

1. Introduction

Electric power substations are a fundamental critical infrastructure and the linchpins of the modern power grid acting as the key essential service to our daily life [1,2]. The world of threats targeting energy infrastructure and substations is constantly evolving [3]. Physical threats such as vandalism and theft remain concerns; however, the rise of sophisticated cyber-attacks and the potential weaponization of readily available technologies introduce new challenges. Additionally, the increasing interconnectedness of power grids can create cascading effects, where an attack on a single substation can trigger widespread outages across a larger region. In recent years, the vulnerability of substations to physical attacks has become a cause for significant concern. Many incidents like targeted sabotage, vandalism, and equipment malfunctions have disrupted power grids and plunged entire regions into darkness. The 2022 attacks on substations in North Carolina [4], the Pacific Northwest [5], and Washington State [6] serve as stark reminders of the potential consequences of inadequate physical security. Apart from these, natural disasters, operational errors, and cyber-induced physical threats also impose physical threats to substations [7,8,9]. Many such events have been taking place every year worldwide for various reasons such as social, geo-political, political, economic, geographical reasons, or due to terrorism, etc., causing large-area power outages and leading to public security threats [1,9,10]. Studies have emphasized the importance of robust substation security measures in mitigating disruptions to power grids and safeguarding critical infrastructure [9,11,12]. Article [13] estimates the vulnerability levels faced and explores the potential consequences of terrorist attacks on substations, highlighting the need for comprehensive security and protection measures to address these diverse risks. The imperative need for robust security measures to protect critical infrastructures and components in the face of ever-expanding physical and cyber threats cannot be overstated. Events in recent years have underscored the absolute necessity for a comprehensive security approach that encompasses not only physical barriers and access control systems but also extensive security auditing practices to ensure the highest levels of effectiveness and preparedness.

While electric power utilities have faced numerous physical attacks and threats to their substations and other infrastructures, the focus has primarily been on understanding the grid’s vulnerability to such threats and implementing physical security upgrades, enhancing backup power supply rerouting power, etc. However, less attention has been paid to evaluating the effectiveness and long-term usability of these security measures, assessing equipment aging and performance, and ensuring preparedness for potential breaches. Also, the existing literature does not acknowledge the significance of security audits in identifying vulnerabilities and enhancing substation security. Bridging this gap, regular security audits can play a vital role in identifying vulnerabilities, evaluating the effectiveness of existing security measures, and ultimately ensuring the overall resilience of substations. These audits provide a systematic framework for assessing security posture, enabling the development of proactive mitigation strategies to address potential weaknesses before they can be exploited. By proactively identifying and addressing vulnerabilities, security audits can significantly enhance the resilience of substations against physical threats.

In the field of security auditing for electric power infrastructure, researchers have merely focused on information security auditing, auditing for cloud computing cyber security auditing, etc. For example, to address the need for cyber security auditing, the authors of reference [14] proposed a scheme combining SCD configuration file parsing with network traffic identification, allowing for real-time monitoring and security auditing of intelligent substation network threats. Additionally, the cybersecurity of electric power systems, including substations, has been recognized as a strategic issue of national importance, with research being conducted to counteract external cyber threats [15]. Patent [16] describes a method for improving the efficiency of security auditing in intelligent transformer substations by analyzing data from the station control layer and spacer layer. Patent [17] proposes a security auditing method for traditional transformer substations by analyzing IEC103 protocol flows and leveraging a configuration file to identify abnormal behaviors. Patent [18] describes a method for the secure maintenance of substation automation devices across a wide area through encrypted authentication, audit logging, and visual responsibility area displays. In [19], a security metric for intelligent electronic devices (IEDs) is proposed to examine the security of IEC61850 networks, alongside a comparison with traditional metrics used for conventional computer networks. Article [20] proposes an intelligent drone-based monitoring system for substations that utilizes image recognition for worker safety violations and environmental hazards, offering real-time early warnings and optimized inspection paths to enhance safety and efficiency. Article [21] proposes a system for cooperative substation inspection using robots and drones, employing an improved A* algorithm with Bezier curves for efficient multi-machine path planning while considering potential electromagnetic interference from the substation. Although these studies have focused on network side auditing, equipment monitoring, and safety inspection, which can be a part of physical security audit processes, but they provide only limited information regarding the physical security audit process and its framework. Also, these auding methods are only applicable limited insights of physical security, thus it is necessary to look towards creating a full physical security auditing framework.

Physical security vulnerabilities in power substations can pose significant risks to the entire cyber–physical system. Physical intrusions can serve as entry points for cyberattacks, potentially leading to severe consequences for the power grid. Several studies have explored this issue from various perspectives, highlighting the importance of physical security monitoring and integrated in-depth defense approaches. Xie et al. [22,23,24] have investigated physical security monitoring systems for substations, including video surveillance, motion detectors, and intrusion classification. These studies emphasize the need for a holistic approach to security, considering the interdependencies between physical and cyber threats. Khanna et al. [25] propose an integrated framework to address both physical and cyber security concerns in power transmission systems. Their approach combines the assessment of the physical implications of substation failures with cyber vulnerabilities to analyze cyber–physical risks holistically. Also, ref. [26] highlights the critical need for robust physical layer security measures in smart distribution networks, as cyberattacks targeting under-load tap-changing transformers can lead to manipulated voltage profiles and compromised system integrity. Additionally, strategic bidding behaviors among power producers, as explored in [27], can pose significant physical security risks. The potential for market participants to manipulate bidding strategies could lead to operational challenges and vulnerabilities, thereby compromising the overall stability and reliability of the grid. Furthermore, the intermittent nature of renewable energy sources, such as wind power, as highlighted in [28], can introduce physical security risks to the power system emphasizing the necessity for robust risk management strategies to address the challenges associated with integrating wind energy into the grid, ensuring the overall stability and reliability of power operations. The literature underscores the necessity of comprehensive security measures that address both physical and cyber aspects of substation security while also considering a multi-dimensional approach. Integrated approaches are crucial for effective risk assessment and mitigation in power substations.

The existing literature on physical security auditing for utilities reveals several critical research gaps that need to be addressed. While there is a growing body of work focusing on methodologies and frameworks, significant areas remain underexplored, particularly in the context of comprehensive auditing practices.

Table 1. Research gaps in existing publications on physical security auditing of electrical utilities.

Research Gap	Description
Lack of comprehensive research especially for physical security auditing of substations	Many studies discuss critical infrastructure protection standards that include only physical security requirements, and there is a lack of comprehensive research specifically focused on physical security auditing methodologies for utility assets [29,30].
No standard framework for auditing	The IEEE Std 1402 guide offers recommendations on various aspects of substation security, including perimeter protection, access control, and surveillance systems [7,31]. And, NERC CIP-014 is a critical infrastructure protection standard specifically focused on physical security for the most critical transmission stations and substations [10,31]. Interestingly, while these standards provide valuable guidance, there is no universally accepted framework for auditing the physical security of substations.
Methodological limitations	Current methodologies primarily assess vulnerabilities related to specific threats, such as physical attacks and cyber threats, but lack a holistic approach that integrates various threat vectors [9,32]. The focus on asset maintenance overshadows other lifecycle stages, indicating a need for more balanced research across planning, acquisition, and disposal [33].
Integration of technologies	There is insufficient integration between physical and cyber security auditing approaches for utilities. As utilities evolve into cyber-physical-human systems with increasing interconnections, there is a need for holistic auditing frameworks that can evaluate physical, cyber, and human elements together [30,34]. There is limited exploration of how emerging technologies, such as real-time monitoring systems, can enhance security auditing processes in utilities [15]. The potential for digital transformation to improve asset management and security auditing remains largely unexamined [33].
Quality control in security products	The quality and stability of physical security products, such as physical gaps, are inadequately addressed, particularly regarding stress testing [35].

summarizes the research gap for physical security auditing of electric power substations.

The North American Electric Reliability Corporation (NERC) has identified inconsistencies in auditing practices across its eight regional entities, highlighting the need for a more standardized approach to physical security auditing in the electric power sector [36]. While security risk assessment involves a forward-looking perspective, security audits focus on current practices and compliance. Despite the importance of security audits, research has primarily concentrated on security risk assessment, neglecting the need for a systematic approach to physical security auditing. This paper aims to address this gap by proposing a conventional approach that relies on checklists and inspections to assess perimeter security, access control system functionality, and the operability of security systems.

The primary contribution of this paper is the proposal of a comprehensive auditing framework for enhancing the physical security of electric power substations. Furthermore, it emphasizes the significance of regular security audits to identify vulnerabilities and ensure the resilience of substations against evolving threats. The key aspects of the paper’s contributions are as follows:

• Auditing Framework: The paper presents a structured auditing methodology that encompasses planning, on-site audits, post-audit analysis, and reporting, followed by a periodic review.
• Vulnerability Identification: It presents a systematic approach to examine all aspects of substation security infrastructure, including physical barriers, access control systems, and security technologies.
• Risk Assessment: The paper discusses the process of assessing associated risks once vulnerabilities are identified, including the likelihood of exploitation and potential consequences.
• Compliance Verification: It highlights the role of security audits in ensuring adherence to security regulations, standards, and industry best practices.
• Continuous Improvement: The paper emphasizes the necessity for a culture of continuous improvement in security practices, which is facilitated through regular security audits.
• Guidelines for Physical Security Auditing: The paper provides comprehensive guidelines for the physical security auditing procedure, which can contribute to the overall reliability of the power grid.
• Risk Matrix and Scoring System: It introduces a quantifiable measure to assess substation preparedness against physical attacks, identifying areas for improvement and guiding resource allocation.
• Recommendations for Enhancement: Based on the audit findings, the paper offers specific recommendations for enhancing substation security, including immediate actions, suggested implementations, and long-term strategies.

By providing a detailed framework and methodology for conducting physical security audits, the paper aims to significantly enhance the resilience of substations against physical threats, thereby contributing to the overall reliability and security of the power grid.

The remainder of the paper is structured as follows: Section 2 explains the significance and benefits of regular security auditing, Section 3 discusses the methodology involved in physical security auditing, Section 4 discusses the proposed example of a conventional framework for substation physical security audit process, and finally, Section 5 puts forward the conclusion, recommendations, and future research directions.

2. Significance of Regular Security Auditing

Regular security audits are crucial for the physical security of electric power substations to keep their security intact. In general, these audits provide a systematic and comprehensive approach to securing substation infrastructure. By identifying and prioritizing vulnerabilities, they enable utilities providers to proactively mitigate risks and enhance the overall resilience of their substations against a range of physical and physically induced cyber threats. Conducting regular security audits fosters a culture of continuous improvement in security practices, protects critical infrastructure, ensures reliable power delivery, and maintains stakeholder trust. Essentially, regular security audits offer a comprehensive approach to substation security, providing stakeholders with increased confidence in the overall security posture, identifying areas for improvement, and minimizing the likelihood of successful security breaches, which safeguard critical infrastructure and ensure the reliable operation of the power grid.

Figure 1 illustrates the significance of regular security auditing, outlining its purpose and benefits.

2.1. Purpose of Regular Security Auditing in Substation Security

The primary purpose of this audit is to systematically identify, assess, and address vulnerabilities within the substation’s security posture. These audits can achieve their purpose through a series of well-defined objectives, which are listed below:

• Comprehensive Vulnerability Identification: Security audits employ a systematic approach to examine all aspects of the substation’s security infrastructure. This includes a thorough evaluation of physical barriers, access control systems, security technologies, and operational procedures. The main aim is to uncover any potential weaknesses that could be exploited by malicious actors.
• Risk-Based Prioritization: Once vulnerabilities are identified, the audit process moves on to assess the associated risks. This involves evaluating factors such as the likelihood of a specific vulnerability being exploited, the potential consequences of successful attacks, and the sensitivity of the assets at risk. Based on this risk assessment, vulnerabilities are prioritized for remediation, ensuring that efforts are focused on addressing the most critical issues first and minimizing the overall security risk profile. They can also be used to identify any upcoming threats or changes in the environment (such as increased gunfire, theft, chaos in the community, etc.) to ensure extra security prioritization.
• Enhanced Risk Assessment and Mitigation Processes: Regular security audits provide valuable feedback that can be utilized to continuously improve risk assessment and mitigation processes. By identifying previously unknown vulnerabilities and highlighting gaps in existing security measures, these audits inform the development of more effective mitigation strategies and contribute to a culture of continuous security improvement.
• Compliance Verification: Security audits also play a vital role in ensuring compliance with applicable security regulations, standards, and industry best practices. By verifying adherence to these requirements, audits help to reduce the risk of legal and regulatory repercussions associated with inadequate security measures.

2.2. Benefits of Regular Security Auditing

The ever-present threat landscape necessitates a comprehensive approach to substation security, with regular security audits forming an essential component. Regular security audits provide a systematic and structured framework for assessing a substation’s security posture. Through a comprehensive evaluation process, security audits deliver several key benefits:

• Enhanced Vulnerability Identification and Risk Assessment: Audits systematically uncover physical vulnerabilities such as inadequate access controls, outdated equipment, weak perimeter security measures, etc. This enables a more accurate assessment of potential risks associated with these vulnerabilities, allowing for targeted mitigation strategies.
• Prioritized Mitigation Efforts: By prioritizing vulnerabilities based on their severity and likelihood of exploitation, audits guide remediation efforts. This ensures that critical vulnerabilities are addressed first, optimizing resource allocation and maximizing the impact of security measures.
• Ensured Compliance with Regulations: Security regulations and standards can evolve. Regular audits ensure that substations remain compliant with these evolving requirements, minimizing the risk of legal or regulatory repercussions.
• Improved Substation Resilience: Continuous improvement in security posture is fundamental to building a resilient substation. Audits not only identify weaknesses but also contribute to a proactive approach to security management, fostering a culture of continuous improvement and ensuring that vulnerabilities are addressed before they can be exploited.
• Reduced Insurance Costs: Insurance companies often offer discounts to power companies that have strong physical security measures in place and comply with regulations [37,38]. A security audit can help identify areas for improvement that could lead to lower insurance premiums.

3. Methodologies for Physical Security Auditing of Electric Power Substations

Physical security auditing plays a crucial role in security compliance checks involving certain steps, procedures, methods, etc. This Section includes a detailed explanation of the key steps involved in conducting physical security audits of electric power substations, the types of physical security audits, and the importance of involving qualified security professionals in the auditing process.

3.1. Key Steps Involved in Conducting Physical Security Audits of Electric Power Substations

Physical security audits of electric power substations should follow a structured and comprehensive approach to effectively identify, assess, and address potential vulnerabilities. The key steps involved in this process include the following:

• Planning and Preparation: The audit process begins with careful planning and preparation. This involves defining the scope of the audit, identifying the team members, establishing the audit schedule, and gathering relevant background information about the substation and site.
• Data Collection and Review: Auditors gather and review relevant data about the substation, including physical layout, access controls, security systems, operational procedures, and maintenance records. This information provides a baseline understanding of the substation’s security posture.
• Risk Assessment: Based on the collected data, auditors conduct a comprehensive risk assessment to identify and prioritize potential vulnerabilities. This involves evaluating the likelihood of exploitation and the potential impact of each vulnerability.
• Vulnerability Testing: To thoroughly assess the identified vulnerabilities, auditors perform vulnerability testing using various techniques such as physical assessments, penetration testing, and vulnerability scans. These techniques provide a hands-on evaluation of the substation’s security posture.
• Findings and Recommendations: The audit’s findings are documented in a detailed report that outlines the identified vulnerabilities, their risk assessment, and recommendations for mitigation. The report should be clear, concise, and actionable.
• Remediation and Follow-up: The utility managers should prioritize and implement the recommended mitigation measures to address the identified vulnerabilities. Follow-up audits should be conducted to verify the effectiveness of the implemented mitigation measures and ensure the ongoing security of the substation.

3.2. Types of Security Audits

Physical security audits of electric power substations typically involve a combination of different audit types to provide a comprehensive assessment of the substation’s security posture. This includes the following:

• Physical Assessments: Physical assessments involve on-site inspection and evaluation of the substation’s physical infrastructure, perimeter security measures, access controls, and security systems [39]. This type of audit assesses the physical vulnerabilities of the substation.
• Penetration Testing: Penetration testing involves simulated attacks on the substation’s cyberspace and networks to identify and exploit vulnerabilities [40]. This type of audit assesses the cybersecurity posture of the substation.
• Vulnerability Scans: Vulnerability scans use automated tools to identify and scan for known vulnerabilities in the substation’s cyber and physical infrastructure with modern technologies [40,41]. This type of audit provides a rapid assessment of common vulnerabilities.

3.3. Importance of Qualified Security Professionals

Involving qualified security professionals in the physical security auditing process is crucial for ensuring the effectiveness and credibility of security audits. By involving qualified security professionals, utilities can ensure that physical security audits provide valuable insights into their substation’s security posture, enabling proactive mitigation of vulnerabilities and enhanced protection of critical infrastructure. These professionals possess the necessary expertise, knowledge, and experience to carry out the following:

• Thorough Vulnerability Identification: Security professionals can effectively identify and assess a wide range of vulnerabilities, including physical, cyber, and procedural weaknesses.
• Accurate Risk Assessment: They can accurately evaluate the likelihood of exploitation and the potential impact of each vulnerability, providing a comprehensive risk assessment.
• Effective Mitigation Strategies: Security professionals can develop and recommend practical and effective mitigation strategies to address the identified vulnerabilities.
• Compliance with Standards: They can ensure that the audit process adheres to applicable security regulations, standards, and industry best practices.
• Clear Communication of Findings: Security professionals can effectively communicate the audit findings to management and stakeholders in a clear, concise, and actionable manner.

3.4. Frequency and Timing of Physical Security Audit

This Section includes a detailed explanation of the frequency and timing of physical security audits for electric power substations.

3.4.1. Frequency of Physical Security Audits

The frequency of security audits for electric power substations should be determined based on a comprehensive assessment of the substation’s size, sensitivity, and risk profile. In general, a risk-based approach should be adopted to determine the frequency of physical security audits. The following factors should be considered:

• Substation Size: Larger substations with more complex infrastructure and a wider range of assets typically require more frequent audits due to the increased potential for vulnerabilities.
• Substation Sensitivity: Substations that play a critical role in the power grid or serve sensitive areas may require more frequent audits to ensure the highest level of protection.
• Risk Profile: Substations with a higher risk profile, based on factors such as location, threat history, and asset criticality, should undergo more frequent audits to proactively address potential vulnerabilities, while the substation with lower risk may be audited less frequently. However, even low-risk substations should be audited regularly to maintain a baseline level of security and ensure that vulnerabilities are not overlooked.

3.4.2. Timing of Security Audits

The timing of security audits should be carefully considered to minimize disruptions to substation operations and ensure the availability of critical infrastructure. The following factors should be taken into account:

• Operational Schedules: Security audits should be scheduled to avoid periods of peak demand or critical maintenance activities. This will minimize interference with normal operations and ensure that audits do not disrupt the power supply.
• Seasonal Considerations: Security audits may need to be adjusted based on seasonal factors, such as extreme weather conditions or periods of increased threat activity.
• Security Incidents: In the event of a security incident or attempted attack, security audits should be conducted promptly to identify any underlying vulnerabilities that may have been exploited. This will enable the timely implementation of mitigation measures to prevent future incidents.

3.4.3. Flexibility in Audit Frequency and Timing

The frequency and timing of security audits should not be rigid but rather adaptable to changing threat landscapes and security incidents. As new threats emerge or the risk profile of a substation changes, the audit schedule should be adjusted accordingly. This flexibility ensures that the substation’s security posture remains proactive and responsive to evolving threats. Determining the frequency and timing of security audits for electric power substations requires a careful balance between the need for comprehensive evaluation and the need to minimize disruptions to operations. By considering the substation’s size, sensitivity, risk profile, operational schedules, and changing threat landscapes, utilities providers can effectively protect their critical infrastructure while maintaining a reliable power supply.

3.5. Documentation and Reporting of Audit Findings

This Section includes a detailed explanation of the documentation and reporting of physical security audit findings for electric power substations.

3.5.1. Documentation Procedures

Comprehensive documentation of physical security audit findings is crucial for effectively communicating the results of security audits and ensuring that identified vulnerabilities are addressed. Clear documentation procedures should be established to capture and record all relevant audit findings, including the following:

• Observations: Detailed descriptions of all observations made during the audit, including physical security measures, access controls, security systems, equipment condition, operational procedures, substation environment, etc.
• Vulnerabilities: A clear identification of all vulnerabilities discovered during the audit, categorized based on their severity, likelihood of exploitation, and potential impact.
• Recommendations: Specific recommendations for mitigating the identified vulnerabilities, including suggested actions, timelines, and responsible parties.
• Supporting Evidence: Supporting evidence to substantiate the audit findings, such as photos, screenshots, logs, physical samples, etc.

The documentation should be well-organized and well-structured, easy to understand, and readily accessible to authorized personnel. Electronic documentation systems can be employed to ensure efficient storage, retrieval, and sharing of audit findings.

3.5.2. Reporting Mechanism

An effective reporting mechanism is essential for communicating the audit’s findings to relevant stakeholders, including management, security personnel, substation operators, and regulatory bodies. The reporting mechanism should fulfill the following:

• Identify Stakeholders: Clearly define the roles and responsibilities of all stakeholders who need to receive audit reports.
• Establish Reporting Frequency: Determine the frequency at which audit reports should be issued, considering the substation’s risk profile and audit schedule.
• Define Report Format: Establish a consistent format for audit reports, ensuring that they are comprehensive, actionable, and tailored to the specific needs of the substation.
• Review and Approval Process: Implement a review and approval process to ensure that audit reports are accurate, complete, and aligned with utilities’ policies.
• Distribution Channels: Determine the appropriate distribution channels for audit reports, considering the need for confidentiality and access restrictions.
• Feedback Mechanism: Establish a feedback mechanism to gather input from stakeholders and continuously improve the audit reporting process.

3.5.3. Tailored Audit Reports

Audit reports should be tailored to the specific needs of the substation, considering its size, sensitivity, risk profile, and operational environment. The reports should:

• Summarize Key Findings: Provide a concise summary of the most significant audit findings, including the most critical vulnerabilities and recommendations.
• Prioritize Recommendations: Prioritize the recommended mitigation actions based on their severity and potential impact, guiding immediate and long-term remediation efforts.
• Technical Details: Include technical details for security personnel, operators, and professionals involved in implementing mitigation measures.
• Management Summary: Provide a high-level overview for management, highlighting the overall security posture of the substation and key areas for improvement.
• Regulatory Compliance: Address any regulatory compliance issues identified during the audit and provide a roadmap for achieving compliance.

By adhering to these guidelines, utilities can ensure that audit findings are effectively documented, reported, and acted upon, contributing to the enhanced security of electric power substations and the resilience of the overall power grid.

3.6. Corrective Action and Remediation

The corrective action and remediation should include processes for prioritizing and addressing vulnerabilities identified during security audits which, are discussed below.

3.6.1. Prioritization of Vulnerabilities

Not all vulnerabilities discovered during security audits are equally critical or pose the same level of risk. Therefore, it is essential to prioritize vulnerabilities based on their severity, likelihood of exploitation, and potential impact on the substation and the power grid. The prioritization process involves:

• Severity Assessment: Evaluate the severity of each vulnerability by considering factors such as the ease of exploitation, the potential for disruption or damage, and the sensitivity of the affected assets.
• Likelihood Assessment: Determining the likelihood of each vulnerability being exploited by considering factors such as the availability of exploit tools or techniques, the sophistication of potential adversaries, and the historical patterns of attacks.
• Impact Assessment: Assessing the potential impact of each vulnerability on the substation and the power grid, including potential disruptions to power supply, financial losses, or reputational damage.
• Risk Prioritization: Combining the severity, likelihood, and impact assessments to assign a risk score to each vulnerability. Vulnerabilities with higher risk scores should be prioritized for immediate remediation.

3.6.2. Implementation of Corrective Actions and Remediation Measures

Once vulnerabilities have been prioritized, corrective actions and remediation measures should be implemented in a timely and effective manner to mitigate identified risks. This involves the following:

• Development of Remediation Plans: Developing detailed remediation plans for each prioritized vulnerability, outlining the specific actions required, the timeline for implementation, and the responsible parties.
• Resource Allocation: Allocating sufficient resources, including personnel, equipment, and budget, to support the implementation of remediation plans.
• Change Management: Implementing change management procedures to ensure that remediation efforts are coordinated with operational schedules and minimize disruptions to substation operations.
• Testing and Validation: Conduct thorough testing and validation of implemented remediation measures to verify their effectiveness in addressing the identified vulnerabilities.
• Continuous Monitoring: Continuously monitoring the substation’s security posture and implementing ongoing remediation efforts as new vulnerabilities are discovered or threat landscapes evolve.

3.6.3. Tracking Remediation Progress

Tracking the progress of remediation efforts is crucial for ensuring that vulnerabilities are adequately addressed and that the substation’s security posture is continuously improved. This involves the following:

• Establishing Tracking Mechanisms: Establishing mechanisms to track the progress of remediation efforts, such as status reports, dashboards, or project management tools.
• Regular Review: Regularly reviewing the progress of remediation efforts to identify any delays, challenges, or roadblocks that may need to be addressed.
• Prioritization Adjustments: Adjusting the prioritization of vulnerabilities based on the progress of remediation efforts, ensuring that the most critical risks are addressed promptly.
• Documentation of Remediation Outcomes: Documenting the outcomes of remediation efforts to maintain a record of implemented measures and their effectiveness.
• Lessons Learned: Identifying lessons learned from the remediation process to improve future vulnerability assessment and mitigation efforts.

By effectively prioritizing vulnerabilities, implementing timely and effective remediation measures, and diligently tracking remediation progress, utilities can significantly enhance the security of electric power substations and safeguard critical infrastructure.

3.7. Continuous Improvement and Review

In the ever-evolving landscape of security threats, it is imperative to adopt a continuous improvement approach to security auditing practices for electric power substations. This involves a proactive and iterative approach that emphasizes the ongoing refinement of auditing procedures, incorporation of lessons learned, and adaptation to evolving threats and technologies which are described briefly below.

3.7.1. Importance of Continuous Improvement

Continuous improvements to security auditing practices are crucial for several reasons, which are outlined below:

• Evolving Threat Landscape: The security threat landscape is constantly evolving, with new attack methods, vulnerabilities, and adversaries emerging regularly. Static auditing practices that fail to keep pace with these advancements risk leaving critical vulnerabilities undetected and the substation exposed to potential attacks.
• Technology Advancements: Technological advancements in both offensive and defensive security tools and techniques necessitate the continuous adaptation of auditing practices. Incorporating new technologies and methodologies into the auditing process can enhance the effectiveness of vulnerability identification, risk assessment, and mitigation strategies.
• Lessons Learned from Previous Audits and Incidents: Security audits provide valuable insights into the substation’s security posture and vulnerabilities. Incorporating lessons learned from previous audits and security incidents into future auditing processes can help identify patterns, anticipate recurring issues, and prioritize areas for improvement.

3.7.2. Incorporating Lessons Learned

Effectively incorporating lessons learned from previous audits and security incidents involves the following:

• Reviewing Audit Findings and Incident Reports: Thoroughly reviewing the findings from previous audits and reports of security incidents to identify common vulnerabilities, attack methods, and areas where auditing procedures may have been inadequate.
• Identifying Patterns and Trends: Analyzing the information collected to identify patterns and trends in vulnerabilities, attack methods, and adversary behaviors. This can help in anticipating emerging threats and prioritizing areas for enhanced auditing focus.
• Updating Auditing Procedures: Based on the identified patterns and trends, updating auditing procedures to incorporate new techniques, methodologies, and tools to address evolving threats and vulnerabilities.

3.7.3. Adapting to Evolving Threats and Technologies

Adapting to evolving threats and technologies involves the following:

• Staying Informed about Emerging Threats: Continuously monitoring security threat intelligence feeds, industry reports, and research publications to stay informed about emerging threats, vulnerabilities, and attack methods.
• Evaluating New Technologies: Evaluating new security technologies and methodologies to determine their potential applicability in enhancing the effectiveness of security audits.
• Pilot Testing and Integration: Pilot testing new technologies and methodologies in a controlled environment before integrating them into the auditing process to ensure their effectiveness and compatibility with existing procedures.

3.7.4. Regular Review and Updates

Regularly reviewing and updating security auditing procedures is essential to ensure that they remain relevant and effective in addressing evolving threats and vulnerabilities. This involves the following:

• Establishing a Review Schedule: Establishing a regular schedule for reviewing and updating security auditing procedures, typically on an annual or biannual basis.
• Involving Stakeholders: Involving relevant stakeholders, including security professionals, management, and regulatory bodies, in the review process to gather diverse perspectives and ensure that the updated procedures align with utilities’ goals and regulatory requirements.
• Documentation of Updates: Document all updates to security auditing procedures to maintain a clear history of changes and facilitate future reviews.
• Training and Awareness: Providing training and awareness to auditors and relevant personnel on the updated auditing procedures to ensure their effective implementation and consistent application.

By adopting a continuous improvement approach to security auditing practices, utilities can effectively protect their critical electric power substations from evolving security threats, ensuring the reliable and secure delivery of electricity to consumers.

4. Proposed Example of Conventional Framework for Substation Physical Security Audit Process

An example framework for the substation physical security auditing process is proposed, as illustrated in Figure 2, which incorporates best practices and potential considerations to comply with the methodology discussed in Section 3. This includes pre-auditing planning, on-site audits, post-audit analysis and reporting, and follow-up [42,43,44,45].

4.1. Pre-Audit Planning

The pre-audit planning should consider the following steps:

• Define Scope and Objectives: This is a critical step which should consider the following:
  • Focus Areas: Will the entire substation be audited, or will it target specific areas like perimeter security or access control systems, etc.?
  • Vulnerability Focus: Is the audit looking for general security weaknesses or focusing on known threats such as cyberattacks or physical intrusion attempts or some other irregularities or all?
  • Compliance Requirements: Are there any industry standards or regulatory requirements that the audit needs to address?
• Assemble the Audit Team: The team should consist of individuals with relevant expertise and should involve the following:
  • Security Professionals: Individuals with experience in physical security assessments and knowledge of substation security best practices.
  • Substation Operations Staff: Those familiar with the substation’s layout, security protocols, and day-to-day operations can provide valuable insights.
  • Engineers: Their expertise can be crucial in evaluating the physical security of buildings, perimeter fencing, and equipment.
• Gather Information: Thorough preparation beforehand is key. The auditors should collect the following information:
  • Security Policies and Procedures: These documents outline the protocols for perimeter security, access control, alarm systems, and response to security incidents, etc.
  • Substation Layouts and Blueprints: These plans are essential for visualizing the physical layout of the facility, identifying critical assets, and understanding potential vulnerabilities.
  • Incident Reports: Reviewing past security incidents can reveal recurring problems or areas needing extra attention.
  • Maintenance Records: Understanding the upkeep and functionality of security equipment is crucial.

4.2. On-Site Audit

4.2.1. Parameters and Checklists

During the on-site visit, there are various parameters and checklists that auditors need to examine and give scores to; some of them are listed below:

• Perimeter Security: A thorough evaluation of the physical barriers surrounding the substation is vital:
  • Fences: Are they constructed from appropriate materials (e.g., chain link with barbed wire) and in good repair? Are there any gaps or weak points?
  • Gates: Are they secure, properly locked, and monitored for unauthorized access?
  • Security Lighting: Is the lighting adequate to illuminate the perimeter at night and deter potential intruders?
  • Natural Barriers: Are there any natural elements like trees or bushes that could be used to conceal unauthorized activity?
• Access Control: The access control parameters and checklist auditors need to follow are as follows:
  • Authorized Personnel: Who is allowed access to the substation, and for what reasons?
  • Access Credentials: What type of credentials are used (e.g., key cards, biometric scans)? Are these credentials secure and properly managed?
  • Visitor Management: How are visitors controlled and monitored?
  • Escort Procedures: Are there procedures for escorting authorized visitors who are not substation personnel?
  • Mantraps and Access Interlocking Systems: Are these high-security entryways present, and do they function properly?
• Intrusion Detection and Response: The effectiveness of measures to detect and respond to security breaches is crucial and auditors need to focus on the following:
  • Alarm Systems: Are they properly functioning and strategically placed to detect unauthorized entry?
  • Security Cameras: Are they operational, provide adequate coverage, and record activity?
  • Response Plans: Are there clear and well-rehearsed procedures for responding to security incidents? These plans should involve notifying security personnel, law enforcement, and relevant authorities [46].
• Documentation Keeping and Recording: Auditors need to focus on proper documentation which ensures continuity and accountability considering the following:
  • Security Logs: Are they maintained accurately and consistently, recording access attempts, security incidents, and maintenance activities?
  • Security Procedures: Are they clearly documented, readily available to staff, and up to date?
  • Incident Reports: Are they documented thoroughly and investigated to identify root causes and prevent similar occurrences?

4.2.2. Audit Evaluation Criteria and Scoring

The audit evaluation and scoring criteria for each component and subcomponent can be further elaborated and customized based on individual substation priorities and risk assessments. The scoring is awarded based on the presence and effectiveness of various security elements and divided into five levels of preparedness (least, low, moderate, significant, and high) each assigned a weighted score as demonstrated in

Table 2. Physical security audit evaluation criteria and scoring for level of preparedness vs. impact.

S. No.	Key Areas	Evaluation Criteria	Weighted Score	Impact (1–5)
Level of Preparedness (Scoring 1–5)				Least (1)	Low (2)	Moderate (3)	Significant (4)	High (5)
A	Physical Security Measures (50 points)	1.1. Perimeter Security	15
		Presence and effectiveness of fencing, barriers, and access control systems.	5	5	4	3	2	1
		b. Lighting conditions and surveillance cameras covering the perimeter.	5	5	4	3	2	1
		c. Regular inspections and maintenance of perimeter security measures.	5	5	4	3	2	1
		1.2. Building Security	15
		Robustness of building materials and construction against potential forced entry.	5	5	4	3	2	1
		b. Presence and effectiveness of door and window security features (e.g., alarms, reinforced frames).	5	5	4	3	2	1
		c. Limited access points and controlled entry procedures for authorized personnel.	5	5	4	3	2	1
		1.3. Equipment Security	20
		Physical protection of critical transformers and other sensitive equipment.	5	5	4	3	2	1
		b. Regular inspection and maintenance of each equipment.	5	5	4	3	2	1
		c. Redundancy and backup systems are in place to minimize disruption in case of attack.	5	5	4	3	2	1
		d. Tamper-evident seals and monitoring systems for critical equipment.	5	5	4	3	2	1
B	Security Awareness and Training (25 points)	2.1. Employee Training	10
		Regular training programs for personnel on recognizing and reporting suspicious activity.	5	5	4	3	2	1
		b. Training on emergency procedures and evacuation protocols in case of an attack.	5	5	4	3	2	1
		2.2. Incident Reporting and Communication	10
		Clear and established procedures for reporting suspicious activity and security breaches.	5	5	4	3	2	1
		b. Effective communication channels within the utility and with relevant authorities.	5	5	4	3	2	1
		2.3. Cybersecurity Awareness	5
		Basic cybersecurity training for personnel to identify and avoid potential cyber threats.	5	5	4	3	2	1
C	Emergency Response Plans and Procedures (25 points)	3.1. Pre-incident Planning	10
		Development of a comprehensive emergency response plan outlining response procedures for physical attacks.	5	5	4	3	2	1
		b. Conducting regular drills and exercises to test the effectiveness of the plan.	5	5	4	3	2	1
		3.2. Incident Response Team and Resources	10
		Establishment of a dedicated incident response team with trained personnel.	5	5	4	3	2	1
		b. Availability of necessary resources and equipment for responding to an attack.	5	5	4	3	2	1
		3.3. Coordination with Authorities	5
		Established communication protocols and procedures for collaboration with law enforcement and other emergency responders.	5	5	4	3	2	1
Total Score: This is the sum of the scores of all three categories. A higher score indicates a higher level of preparedness and awareness against physical attacks.			100 points	$$TotalScore={\displaystyle \sum A1.1.a.+A1.1.b+A1.1.c+\dots \dots \dots \dots \dots \dots \dots +C3.3.a}$$

. The level of impact that a facility may face is also assigned relative to the level of preparedness. If the level of preparedness is high, the impact of a physical incident would be low, and if the level of preparedness is low, then the impact of a physical incident is higher. Auditors can prepare a scoring table considering all the factors for any vulnerabilities or risk as shown in Table 2, and note down the necessary vulnerabilities for further analysis and detailed reporting.

In the above table, the total score represents the overall preparedness and awareness towards physical incidents, with higher scores indicating better security measures. The score for each category is weighted according to its importance, and individual components within each category are scored based on their effectiveness. The maximum achievable score is 100. To review the total score, this paper further categorizes the overall level of preparedness into three levels as follows:

• Low Preparedness (0–49): This indicates significant vulnerabilities and gaps in security measures and requires urgent action for improvement in multiple areas to ensure basic security against possible threats. The facilities with this score may lack fundamental security measures, maintenance, and adequate training for security personnel, etc.
• Medium Preparedness (50–79): This indicates a moderate level of security involving some security measures but has some notable vulnerabilities. These facilities are likely to have some effective security practices, while they may require some improvements in some areas to handle more possible threats. These facilities require necessary upgrades in security posture but it is not urgent depending upon the risk and probability of threat in that area.
• High Preparedness (80–100): This indicates the facility is robust and has implemented a strong overall security posture. While it requires periodic continuous monitoring to maintain and further elevate security with evolving threats.

Further, the scoring for the level of preparedness needs to be evaluated on the following basis, as stated in Table 2:

• Perimeter security is evaluated based on the presence and effectiveness of fencing, barriers, access control systems like gates and keypads, lighting, and surveillance cameras. Regular inspections and maintenance also contribute to the score. A high score is awarded for a strong perimeter with high fences, robust access control, well-lit areas, comprehensive camera coverage, and regular inspections. Conversely, a weak perimeter with easily bypassed access points, poor lighting, and lack of camera coverage or maintenance results in a low score.
• Building security is assessed based on the strength of building materials against forced entry, door, and window security features like alarms and reinforced frames, and controlled access procedures for authorized personnel. A high score is given for sturdy building construction, reinforced doors and windows with alarms, limited access points, and strict entry protocols. Flimsy building materials easily breached doors and windows, and lax access control led to a low score.
• Equipment security scores are determined according to the physical protection of critical transformers and equipment, the presence of redundancy and backup systems to minimize disruption in case of an attack, and the use of tamper-evident seals and monitoring systems. High scores are awarded when critical equipment is physically shielded, redundant systems are in place, and tamper-evident seals and monitoring systems are utilized. Low scores result from exposed or easily accessible equipment, lack of backup systems, and absence of tamper-evident seals or monitoring.
• Security awareness and training are measured through employee training programs on recognizing and reporting suspicious activity, emergency procedures, and evacuation protocols. High scores are given for regular, comprehensive training programs, while infrequent or non-existent training programs result in low scores. Incident reporting and communication are evaluated based on the clarity and accessibility of established procedures for reporting suspicious activity and security breaches, as well as the effectiveness of communication channels. Clear, well-defined procedures, efficient internal communication, and established protocols for contacting authorities receive high scores, whereas unclear or non-existent reporting procedures and poor communication lead to low scores. Cybersecurity awareness is assessed based on the implementation of basic cybersecurity training programs. Regularly offered training receives high scores, while no training results in low scores.
• Emergency response plans and procedures include pre-incident planning and the establishment of an incident response team. Pre-incident planning is scored on the development and implementation of a comprehensive emergency response plan and regular drills to test its effectiveness. A well-developed plan with regular drills earns a high score, while an outdated or non-existent plan without drills results in a low score. Incident response teams and resources are evaluated based on the establishment of a dedicated team with trained personnel, contributing to the overall security score.

This conventional quantifiable measure quantifies the substation’s preparedness against physical attacks. It also identifies areas for improvement by highlighting weaknesses in security measures, training, and response plans, and facilitates comparison of the security posture across different substations within the utility. Further, it guides resource allocation for targeted improvements based on the identified vulnerabilities. This conventional method has some limitations which undermine its effectiveness, as it relies on accurate and reliable data collected through assessments and evaluations. And, the scoring system should be reviewed and adjusted periodically to reflect A such threats and best practices.

4.3. Post-Audit Analysis and Reporting

In this stage of the audit, the auditors need to perform some analyses using the available dataset from the on-site visit and prepare a thorough report. Figure 3 illustrates the flowchart for the post-audit analysis process performed by auditors. This flowchart will provide a clear visual guide for the post-analysis process in physical security auditing, helping stakeholders understand the sequence and logic behind the auditing and risk management activities.

The post-audit analysis process is further discussed as follows:

• Analyze Findings and Risk Assessment: The audit team needs to translate sit observations into actionable insights by performing the following:
  • Identify Vulnerabilities: Based on the on-site assessment, specific weaknesses in the substation’s security posture are identified. The total physical security vulnerability of the substation $(Vu{l}_{ps})$ can be expressed in Equation (1).

    $$Vu{l}_{ps}=f\{V_{psd};V_{pssat};V_{pserpp}\}$$

    (1)

    where $V_{psd}$ is the direct vulnerabilities referring to the physical security measures as mentioned in Table 2 (A), $V_{pssat}$ is the vulnerabilities in the security awareness and training as mentioned in Table 2 (B), and $V_{pserpp}$ is the vulnerabilities in emergency response plan and procedure as mentioned in Table 2 (C).
  • Likelihood and Impact: The team assesses the likelihood of vulnerabilities being exploited and the potential Impact of a successful attack. This helps prioritize the substation for addressing vulnerabilities. Equation (2) gives the likelihood of vulnerability in a substation.

    $$L=1-{\left(1-l\right)}^n$$

    (2)

    where L is the likelihood of vulnerabilities; l is the likelihood of failure dure to vulnerability; and n is the number of vulnerabilities.
    The severity of vulnerabilities is related to their impact after a successful attack, which can be computed by Equation (3). Setting up n potential attack vectors, the impact values are additive, meaning the overall impact is the sum of individual impacts. The values must be normalized on a scale (1–5) as in Table 2.

    $$I{m}_n={\displaystyle \frac{a_1}{A_1}}+{\displaystyle \frac{a_2}{A_2}}+\dots \dots \dots +{\displaystyle \frac{a_n}{A_n}}$$

    (3)

    where $I{m}_n$ is the overall impact of a successful attack; $a_1,a_2,\dots \dots a_n$ are the attack value of the attack vector n; and $a_1,a_2,\dots \dots a_n$ is the maximum potential impact of the attack vector n.
  • Risk Calculation: The overall risk can be computed as a product of likelihood, impact, and load served by the substation during that period.

    $$Risk=L_k\times I{m}_k\times L{S}_k$$

    (4)

    where $L_k$ is the likelihood of vulnerabilities in period k, $I{m}_k$ is the impact in period k, and $L{S}_k$ is the load served in period k. Any failures or the possibility of a successful attack depends on the possible vulnerabilities, the severity of the vulnerability and the amount of load server, or the importance of the area to which load is served by the substation.
  • Create a Risk Matrix: A risk matrix can be used to visually represent the severity of each vulnerability based on likelihood versus impact. This helps decision makers allocate resources effectively. An example of a physical security risk matrix involving any probability of any risk vs. impact resulting in its risk level with corresponding recommendation is demonstrated in

    Table 3. Example of risk matrix for physical security auditing of substation.

    Probability	Impact	Risk Level	Recommendation
    Low (1–2)	Low (1–2)	Low	Minimal risk, routine monitoring may suffice.
    Low (1–2)	Medium (3–4)	Medium	Consider implementing prevention measures.
    Low (1–2)	High (5)	High	Immediate action to address the risk.
    Medium (3–4)	Low (1–2)	Medium	Consider implementing prevention measures.
    Medium (3–4)	Medium (3–4)	High	Significant risk, prioritize mitigation strategies.
    Medium (3–4)	High (5)	Very High	Urgent action is required, with the potential for severe consequences.
    High (5)	Low (1–2)	High	Significant risk due to high probability, prioritize mitigation measures.
    High (5)	Medium (3–4)	Very High	Urgent action is required, with the potential for severe consequences.
    High (5)	High (5)	Extreme	Immediate action is required, highest risk category.

    .
  • Cost–Benefit Analysis: Also, the auditors should compute a cost–benefit analysis before putting forward strict recommendations for enhancing security measures. This can involve cost savings for insurance premiums with enhanced security, the avoidance of losses from any such incidents, and increased revenue due to improved reliability. The cost–benefit ratio can be expressed as Equation (5).

    $$CBR={\displaystyle \frac{T_{Benefit}}{T_{\mathit{Cost}}}}$$

    (5)

    where CBR is the cost–benefit ratio, $T_{Benefit}$ is the total benefit from employing the recommended measures, and $T_{\mathit{Cost}}$ is the total cost required of employing the physical security measures. If the CBR ratio is greater than 1, which shows the benefits outweigh the costs, implementing the measures recommended by the audit becomes feasible, and if it is less than 1, the CBR ratio does not recommend the upgrade, but if it relates to other essential factors in the grid such as stability issues, the enhancement becomes necessary. It is also necessary to perform a through cost–benefit analysis through which a well-informed decision can be made and the resources can be allocated.
    Using the equations and methods discussed above, a risk assessment of the substation can be carried out after the on-site audit. These methods can be customized and formulated accordingly to give more accurate and better results.
• Develop Recommendations and Corrective Actions: This is an important step for enhancing the substation’s physical security with the recommendations and findings of the successful audit. The auditors should translate the findings relating to the on-site audit and post-analysis audit results into actionable steps:
  • Specific Recommendations: Prepare detailed suggestions and improvement actions to be taken for improving the security of the substation categorizing it into levels such as urgent implementation, suggest implementation but not urgent, and can consider for implementation.
  • Corrective Action: Assign a team to employ the corrective action according to the suggested recommendation as soon as possible.

4.4. Follow-Up

The process of physical security audit follow-up is demonstrated in Figure 4. It guides the management of the ongoing security posture of electric power substations, emphasizing the importance of continuous monitoring, evaluation, and planning for future audits.

Follow-ups can be carried out for the following reasons:

• Monitor Implementation of Corrective Actions: The implementation of the corrective actions identified in the audit report is monitored to ensure that they have been effectively fixed or not. Also, those are monitored in the long run to check their effectiveness in improving the substation’s security.
• Schedule Periodic Review: Regular security audits are essential to maintain a strong security posture. The scheduling of follow-up audits needs to be planned to ensure the ongoing effectiveness of the security measures.

5. Conclusions and Recommendation

The escalating complexity and incidence of physical assaults on electric power substations have underscored an immediate requirement for thorough and preemptive security strategies. This paper emphasizes the pivotal role of regular physical security audits in bolstering the resilience of substations against an expanding array of threats. It highlights that while utilities providers have concentrated on assessing grid vulnerabilities and executing security enhancements, there has been a noticeable deficiency in assessing the durability and effectiveness of these measures over time.

This paper introduces a conventional auditing framework designed to uncover vulnerabilities and appraise the robustness of current security measures. This framework, encompassing checklists, on-site inspections, and subsequent recommendations, is proposed as a means to systematically fortify substation defenses. By integrating regular security audits into utility operations, the framework is projected to not only enhance the resilience of substations but also bolster the overall reliability of the power grid.

The findings from this study suggest that a systematic auditing approach is essential for proactively identifying and mitigating risks. It reveals that the integration of advanced technologies and the adoption of a risk-based strategy can significantly improve the auditing process. Furthermore, the paper underscores the importance of continuous improvement and the incorporation of lessons learned from previous audits and incidents. Through this, utilities providers can ensure that their security posture remains adaptive and responsive to the ever-changing threat landscape, thereby safeguarding critical infrastructure and ensuring the uninterrupted supply of electricity.

The key points and recommendations presented in this paper can be outlined as follows:

• Establish a regular security auditing schedule: Determine the appropriate frequency of security audits based on the substation’s size, sensitivity, and risk profile.
• Involve qualified security professionals: Engage experienced security professionals to conduct comprehensive and effective security audits.
• Adopt a risk-based approach: Prioritize vulnerability mitigation efforts based on the severity and likelihood of exploitation of identified vulnerabilities.
• Implement timely remediation measures: Promptly address identified vulnerabilities to minimize the risk of successful attacks and disruptions.
• Continuous monitoring and improvement: Continuously monitor the substation’s security posture, adapt auditing procedures to evolving threats, and incorporate lessons learned from previous audits.
• Regulatory compliance and stakeholder communication: Ensure compliance with security regulations and maintain open communication with stakeholders regarding security measures.

By adhering to these key points and recommendations, utilities providers can effectively utilize physical security audits to enhance the physical security of their electric power substations. Finally, it is recommended that utilities must continuously evaluate their security posture, adopt a continuous improvement mindset, and implement effective mitigation strategies to protect their critical infrastructure and ensure the reliable and secure delivery of electricity.

To expand on this work, this study recommends some potential future research directions to develop automated comprehensive security auditing with the use of advanced technologies and integration of AI and IoT and standardized auditing protocols including regulations and policy frameworks.